From 8969441ac8a460321f515fa5c7c1f45c3b4f8956 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 22 Feb 2024 03:33:00 +0100 Subject: [PATCH 1/6] friendica must be public --- manifest.toml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/manifest.toml b/manifest.toml index 5af6989..474b4ff 100644 --- a/manifest.toml +++ b/manifest.toml @@ -1,3 +1,5 @@ +#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/manifest.v2.schema.json + packaging_format = 2 id = "friendica" @@ -31,10 +33,6 @@ ram.runtime = "50M" [install.domain] type = "domain" - [install.init_main_permission] - type = "group" - default = "visitors" - [install.admin] type = "user" @@ -65,6 +63,9 @@ ram.runtime = "50M" [resources.permissions] main.url = "/" +main.show_tile = true +main.allowed = [ "visitors", "all-users" ] +main.protected = true [resources.apt] packages = "mariadb-server, php8.2-curl, php8.2-mbstring, php8.2-imagick, php8.2-xml, php8.2-zip, php8.2-mysql, php8.2-gd, php8.2-gmp, php8.2-intl" From e1c26f8a2cd36323c667dd41c4cfff52e9278319 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 22 Feb 2024 03:33:11 +0100 Subject: [PATCH 2/6] disable install.private test --- tests.toml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests.toml b/tests.toml index d83170e..173c0cc 100644 --- a/tests.toml +++ b/tests.toml @@ -2,8 +2,10 @@ test_format = 1.0 [default] - # ------------------------------- - # Commits to test upgrade from - # ------------------------------- +exclude = [ "install.private" ] - test_upgrade_from.dc7cd3eabe212708375c0dcd4ee994a1373a8122.name = "Upgrade from 2023.01~ynh1" \ No newline at end of file +# ------------------------------- +# Commits to test upgrade from +# ------------------------------- + +test_upgrade_from.dc7cd3eabe212708375c0dcd4ee994a1373a8122.name = "Upgrade from 2023.01~ynh1" From f1890e861234ed302ef2c71fb8ee4bb23de52751 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Thu, 22 Feb 2024 02:33:16 +0000 Subject: [PATCH 3/6] Auto-update README --- README.md | 4 ++-- README_fr.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6ba8bd8..e503bad 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ @@ -49,4 +49,4 @@ or sudo yunohost app upgrade friendica -u https://github.com/YunoHost-Apps/friendica_ynh/tree/testing --debug ``` -**More info regarding app packaging:** +**More info regarding app packaging:** \ No newline at end of file diff --git a/README_fr.md b/README_fr.md index e36af15..f07f5b3 100644 --- a/README_fr.md +++ b/README_fr.md @@ -1,5 +1,5 @@ From f3168788a66d4b40a0d8ea311f75bdeaa1097b57 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 22 Feb 2024 05:04:11 +0100 Subject: [PATCH 4/6] Daemon (#127) * add schema * add daemon * finalization * fixes * systemd config renamed to $app-daemon * fixes * fixes * gorgotten yunohost service remove "$app" * fixes * fix StandardOutput * fix this damn pidfile * better comment for posterity * fix yunohost service remove * update config files * fix domain name change * use the provided config file template at install * Auto-update README * post install: show explicitely the admin login (email) * trying to fix the systemd config * fix pidfile config indentation * add log path * remove irrelevant comment * delete an eventual remaining daemon.pid at restoration * fixes * fix a typo for all_users * adding comment: "Removing the cron..." * use ynh_secure_remove instead of rm * add pre upgrade message about the daemon * fix service name * comment --------- Co-authored-by: yunohost-bot --- conf/addon.config.php | 3 +- conf/cron | 2 -- conf/local-sample.config.php | 20 ++++------- conf/systemd.service | 59 +++++++++++++++++++++++++++++++ doc/POST_INSTALL.md | 1 + doc/POST_INSTALL_fr.md | 1 + doc/PRE_UPGRADE.d/2023.12~ynh3.md | 1 + manifest.toml | 2 +- scripts/backup | 3 +- scripts/change_url | 9 +++++ scripts/install | 18 ++++++---- scripts/remove | 13 ++++++- scripts/restore | 14 ++++++-- scripts/upgrade | 29 ++++++++++++--- tests.toml | 2 ++ 15 files changed, 145 insertions(+), 32 deletions(-) delete mode 100644 conf/cron create mode 100644 conf/systemd.service create mode 100644 doc/POST_INSTALL.md create mode 100644 doc/POST_INSTALL_fr.md create mode 100644 doc/PRE_UPGRADE.d/2023.12~ynh3.md diff --git a/conf/addon.config.php b/conf/addon.config.php index c2800ff..d8e4949 100644 --- a/conf/addon.config.php +++ b/conf/addon.config.php @@ -1,6 +1,7 @@ [ 'ldap_server' => 'localhost', diff --git a/conf/cron b/conf/cron deleted file mode 100644 index e7e5fd1..0000000 --- a/conf/cron +++ /dev/null @@ -1,2 +0,0 @@ -# Run poller periodically to update Friendica -*/10 * * * * __APP__ /usr/bin/php__PHPVERSION__ -f __INSTALL_DIR__/bin/worker.php \ No newline at end of file diff --git a/conf/local-sample.config.php b/conf/local-sample.config.php index be4e5a4..9865bb8 100644 --- a/conf/local-sample.config.php +++ b/conf/local-sample.config.php @@ -1,20 +1,8 @@ [ @@ -37,11 +25,17 @@ return [ 'sitename' => 'Friendica Social Network', 'register_policy' => \Friendica\Module\Register::OPEN, 'max_import_size' => 200000, + 'register_text' => '', ], 'system' => [ 'url' => 'https://__DOMAIN__', 'basepath' => '__INSTALL_DIR__', 'default_timezone' => '__TIMEZONE__', 'language' => '__LANGUAGE__', + 'pidfile' => '__INSTALL_DIR__/daemon.pid', + // Blocks search for users who are not logged in to prevent crawlers from blocking your system. + 'local_search' => false, + 'logfile' => '/var/log/friendica/friendica.log', + 'loglevel' => 'notice', ], ]; diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..337fc3e --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,59 @@ +[Unit] +Description=Friendica daemon +After=network.target mariadb.service +Requires=network.target remote-fs.target nss-lookup.target + +[Service] +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__/ +Type=simple +StandardOutput=append:/var/log/__APP__/daemon.log +StandardError=inherit +ExecStart=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php start +ExecStop=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php stop +PIDFile=__INSTALL_DIR__/daemon.pid +PrivateTmp=true +InaccessibleDirectories=/home /root /boot /opt /mnt /media +ReadOnlyDirectories=/etc /usr +Restart=always +RestartSec=10 +StartLimitBurst=1 +StartLimitIntervalSec=10 + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/doc/POST_INSTALL.md b/doc/POST_INSTALL.md new file mode 100644 index 0000000..2ebd035 --- /dev/null +++ b/doc/POST_INSTALL.md @@ -0,0 +1 @@ +You can now login to using `__EMAIL__` and your usual YunoHost password. diff --git a/doc/POST_INSTALL_fr.md b/doc/POST_INSTALL_fr.md new file mode 100644 index 0000000..35a987b --- /dev/null +++ b/doc/POST_INSTALL_fr.md @@ -0,0 +1 @@ +Vous pouvez désormais vous connecter à en utilisant `__EMAIL__` et votre mot de passe YunoHost habituel. diff --git a/doc/PRE_UPGRADE.d/2023.12~ynh3.md b/doc/PRE_UPGRADE.d/2023.12~ynh3.md new file mode 100644 index 0000000..18b5ca9 --- /dev/null +++ b/doc/PRE_UPGRADE.d/2023.12~ynh3.md @@ -0,0 +1 @@ +This update will make your Friendica instance use a daemon to handle background tasks, instead of a cron. diff --git a/manifest.toml b/manifest.toml index 474b4ff..0b86a45 100644 --- a/manifest.toml +++ b/manifest.toml @@ -64,7 +64,7 @@ ram.runtime = "50M" [resources.permissions] main.url = "/" main.show_tile = true -main.allowed = [ "visitors", "all-users" ] +main.allowed = [ "visitors", "all_users" ] main.protected = true [resources.apt] diff --git a/scripts/backup b/scripts/backup index ae1d9ef..572b62f 100644 --- a/scripts/backup +++ b/scripts/backup @@ -54,7 +54,8 @@ ynh_backup --src_path="/etc/logrotate.d/$app" # BACKUP VARIOUS FILES #================================================= -ynh_backup --src_path="/etc/cron.d/$app" +ynh_backup --src_path="/var/log/$app" +ynh_backup --src_path="/etc/systemd/system/$app-daemon.service" #================================================= # BACKUP THE MYSQL DATABASE diff --git a/scripts/change_url b/scripts/change_url index df843ac..c277451 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -16,6 +16,15 @@ ynh_script_progression --message="Updating NGINX web server configuration..." -- ynh_change_url_nginx_config +#================================================= +# MODIFY URL IN FRIENDICA CONF +#================================================= + +ynh_print_info --message="Updating the Friendica config..." + +ynh_replace_string --match_string="'url' => 'https://.*'," --replace_string="'url' => 'https://$domain'," --target_file="$install_dir/config/local.config.php" +ynh_store_file_checksum --file="$install_dir/config/local.config.php" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/install b/scripts/install index bc07915..9693a9e 100644 --- a/scripts/install +++ b/scripts/install @@ -48,12 +48,12 @@ ynh_script_progression --message="Adding system configurations related to $app.. # Create a dedicated PHP-FPM configy ynh_add_fpm_config +ynh_add_systemd_config --service="$app-daemon" + # Create a dedicated nginx config ynh_add_nginx_config -ynh_add_config --template="cron" --destination="/etc/cron.d/$app" -chown root: "/etc/cron.d/$app" -chmod 644 "/etc/cron.d/$app" +yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log" # Use logrotate to manage application logfile(s) ynh_use_logrotate @@ -79,15 +79,19 @@ pushd "$install_dir" ynh_exec_as "$app" "php$phpversion" bin/composer.phar install --no-dev --quiet # Install application - ynh_exec_as "$app" "php$phpversion" bin/console.php autoinstall\ - --dbhost "localhost" --dbdata "$db_name" --dbuser "$db_user" --dbpass "$db_pwd"\ - --admin "$email" --tz "$timezone" --lang "$language" --url "https://$domain" + ynh_exec_as "$app" "php$phpversion" bin/console.php -f "$install_dir/config/local.config.php" # Enable LDAP Auth addon ynh_exec_as "$app" "php$phpversion" bin/console.php addon enable ldapauth - popd +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/remove b/scripts/remove index 6f01b8e..4ac1569 100644 --- a/scripts/remove +++ b/scripts/remove @@ -11,6 +11,17 @@ source /usr/share/yunohost/helpers #================================================= # REMOVE SYSTEM CONFIGURATIONS +#================================================= +# REMOVE SERVICE INTEGRATION IN YUNOHOST +#================================================= + +# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) +if ynh_exec_warn_less yunohost service status "$app" >/dev/null +then + ynh_script_progression --message="Removing $app service integration..." --weight=1 + yunohost service remove "$app-daemon" +fi + #================================================= # REMOVE SYSTEMD SERVICE #================================================= @@ -27,7 +38,7 @@ ynh_remove_logrotate ynh_remove_fail2ban_config -ynh_secure_remove --file="/etc/cron.d/$app" +ynh_remove_systemd_config --service="$app-daemon" #================================================= # END OF SCRIPT diff --git a/scripts/restore b/scripts/restore index 496e7a4..ecc27d9 100644 --- a/scripts/restore +++ b/scripts/restore @@ -17,6 +17,9 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$install_dir" +if [ -f "$install_dir/daemon.pid" ]; then ynh_secure_remove --file="$install_dir/daemon.pid"; fi + +chmod -R o-rwx "$install_dir" chown -R "$app:www-data" "$install_dir" chmod -R 775 "$install_dir/view/smarty3" @@ -38,14 +41,19 @@ ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore_file --origin_path="/etc/systemd/system/$app-daemon.service" +systemctl enable "$app-daemon.service" --quiet + +yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log" + +ynh_restore_file --origin_path="/var/log/$app" + ynh_restore_file --origin_path="/etc/logrotate.d/$app" ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf" ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf" ynh_systemd_action --action=restart --service_name=fail2ban -ynh_restore_file --origin_path="/etc/cron.d/$app" - #================================================= # GENERIC FINALIZATION #================================================= @@ -57,6 +65,8 @@ ynh_systemd_action --service_name="php$phpversion-fpm" --action=reload ynh_systemd_action --service_name=nginx --action=reload +ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log" + #============== # FINALIZATION #============== diff --git a/scripts/upgrade b/scripts/upgrade index 0ff2f28..4a1ca5b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -20,7 +20,7 @@ upgrade_type=$(ynh_check_app_version_changed) #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="$app-daemon" --action="stop" --log_path="/var/log/$app/daemon.log" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -51,9 +51,14 @@ ynh_add_fpm_config ynh_use_logrotate --non-append -ynh_add_config --template="cron" --destination="/etc/cron.d/$app" -chown root: "/etc/cron.d/$app" -chmod 644 "/etc/cron.d/$app" +if [ -f "/etc/cron.d/$app" ]; then + ynh_print_info --message="Removing the legacy cron..." + ynh_secure_remove --file="/etc/cron.d/$app" +fi + +ynh_add_systemd_config --service="$app-daemon" + +yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log" # Create a dedicated Fail2Ban config ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="^.*authenticate\: failed login attempt.*\"ip\"\:\"\".*$" @@ -65,7 +70,16 @@ ynh_script_progression --message="Updating a configuration file..." --weight=1 # fix the url if necessary (there should be no trailing slash) if [ -f "$install_dir/config/local.config.php" ] && ! grep -q -e "'url' => 'https://$domain'," "$install_dir/config/local.config.php"; then + ynh_print_info --message="Patching the Friendica config file: fix the domain setting..." ynh_replace_string --match_string="'url' => 'https://.*'," --replace_string="'url' => 'https://$domain'," --target_file="$install_dir/config/local.config.php" + ynh_store_file_checksum --file="$install_dir/config/local.config.php" +fi + +# add the path to the pidfile if missing +if [ -f "$install_dir/config/local.config.php" ] && ! grep -q -e "pidfile" "$install_dir/config/local.config.php"; then + ynh_print_info --message="Patching the Friendica config file: add the PID file path for the daemon..." + ynh_replace_string --match_string="'basepath' => '$install_dir'," --replace_string="'basepath' => '$install_dir',\n 'pidfile' => '$install_dir/daemon.pid'," --target_file="$install_dir/config/local.config.php" + ynh_store_file_checksum --file="$install_dir/config/local.config.php" fi #================================================= @@ -78,6 +92,13 @@ pushd "$install_dir" ynh_exec_as "$app" "php$phpversion" bin/console.php dbstructure update popd +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log" + #================================================= # END OF SCRIPT #================================================= diff --git a/tests.toml b/tests.toml index 173c0cc..5071587 100644 --- a/tests.toml +++ b/tests.toml @@ -1,3 +1,5 @@ +#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/tests.v1.schema.json + test_format = 1.0 [default] From 677a1415261063d4fe6d9f3d22f57763f644fabf Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 22 Feb 2024 05:04:49 +0100 Subject: [PATCH 5/6] bump version --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 0b86a45..0c6a3b0 100644 --- a/manifest.toml +++ b/manifest.toml @@ -7,7 +7,7 @@ name = "Friendica" description.en = "Decentralized Social Network" description.fr = "Réseau social décentralisé" -version = "2023.12~ynh2" +version = "2023.12~ynh3" maintainers = [ "" ] From 687f504132dd89ff7fe67b041af42f84fd66685b Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Thu, 22 Feb 2024 04:04:54 +0000 Subject: [PATCH 6/6] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e503bad..2f5f729 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Friendica is a decentralised communications platform that integrates social comm Friendica connects you effortlessly to a federated communications network of several thousand servers, with more than half a million user registrations. You can directly connect to anyone on Friendica, Mastodon, Diaspora, GnuSocial, Pleroma, or Hubzilla, regardless where each user profile is hosted. -**Shipped version:** 2023.12~ynh2 +**Shipped version:** 2023.12~ynh3 **Demo:** https://dir.friendica.social/servers diff --git a/README_fr.md b/README_fr.md index f07f5b3..c3a0b53 100644 --- a/README_fr.md +++ b/README_fr.md @@ -20,7 +20,7 @@ Friendica is a decentralised communications platform that integrates social comm Friendica connects you effortlessly to a federated communications network of several thousand servers, with more than half a million user registrations. You can directly connect to anyone on Friendica, Mastodon, Diaspora, GnuSocial, Pleroma, or Hubzilla, regardless where each user profile is hosted. -**Version incluse :** 2023.12~ynh2 +**Version incluse :** 2023.12~ynh3 **Démo :** https://dir.friendica.social/servers